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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 


of access? 
Yes 
No 
X Unsure/dont know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Little unsure why the right to portability is given such prominence and not other rights 
like restriction? 


Q2 Does the draft guidance contain the right level of detail? 


x Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Q3 Does the draft guidance contain enough examples? 


Yes 
xX No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


We think there should be practical examples around excessive/manifestly unfounded 
requests. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


The problem we have is that we don’t have any confirmed examples of what a manifestly unfounded or 
excessive looks like. The Welsh Government was leaning towards requests asking for all a requster’s personal 
data with no parameters (and no co-operation to narrow it down) as being ‘excessive’ but the guidance 
advises otherwise. In terms of clarifying the request, the doc says ‘this does not affect the timescale for 
responding - you must still respond to their request within one month’. Whilst recognizing the separate 


regimes, this does directly contradict the position under FOI and begs the question as to what the process is if 
the requester clarifies on day 29 and substantially changes the request? 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O 


Q6 Why have you given this score? 


Because it was clear and comprehensive. 


The code says “Under the right of access, an individual is only entitled to their own personal data. They are not entitled to information relating to other people 
(unless their data also relates to other individuals). Before you can respond to a SAR, you need to decide whether the information you hold is personal data and, if 
so, who it belongs to.” We think it needs to be clear what “who it belongs to” means - presumably it is about being the controller of the personal data as outlined in 
page 5 (who is responsible for responding to a request). 


Page 10 “Can a request be made on behalf of someone”. We think clarity is needed on what constitutes “written authority” e.g. a signed form / letter - what 
obligation is on the controller to verify these (how does the controller know these have been completed by the data subject)? 


Page 19 “Do we need to make reasonable adjustments for disabled people?”. What happens if the controller can't reach an agreement with the data subject on how 
best to meet their needs? What are the controllers obligations in such a case e.g. do they provide the personal data in a format of their choosing or are they not 
required to respond to the request (it is not valid). 


Page 38 “the reasons why”. What level of detail is required when using an exemption - is it sufficient to cite the exemption or is more information required e.g. why 
the personal data has a duty of confidence, how it meets the health data / social work data / education data test, details of crime prevention, why it is subject to 


legal professional privilege etc. 


Page 40 (step 2) “However, you are not obliged to ask for consent. Indeed, in some circumstances, it may not be appropriate to do so, for instance if it would 
involve a disclosure of personal data about the requester to the third party.”. When would this not be the case, given you are seeking consent because the personal 
data relates to another individual as well as the requester? In reality we don't think this “three-step rule” works and believe the ICO should provide more 


constructive, workable guidance on this particular issue. 


Page 39-45 This doesn't deal with naming / identifying individuals as the source of the personal data. 
Page 56 As a general point, aren't almost all references provided in confidence? 


Page 77 “It is a criminal offence to require an individual to make a SAR, in certain circumstances and in relation to certain information”. What do “certain 
circumstances” and “in relation to certain information” mean in this context - it suggests there is wriggle-room in this regard and clarity around this is needed. 


Page 77 “Is it a criminal offence to destroy and conceal information”. This is covered earlier on page 28 “can we amend data following receipt of a SAR”, and we 
think the code needs to be careful it is not seemingly providing contradictory advice as it is reasonable for data to be amended or deleted while you are dealing with 
a request. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O 0O O Xl 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

Kl On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Welsh Government 


What sector are you from: 


Q10 How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


el dl E) EE aL El E. El 


Thank you for taking the time to complete the survey. 


